Snort mailing list archives
Re: my logs is flooding with snort w/ some weird message about port 53
From: "alexus" <ml () db nexgen com>
Date: Tue, 4 Sep 2001 17:36:41 -0400
i have in my snort.conf var HOME_NET $fxp0_ADDRESS var DNS_SERVERS $HOME_NET i though it's already in.. i dont want to turn off that rule i want to configure my bind/named to use higher port then 1023 if someone knows how to do it please let me know thanks in advance ----- Original Message ----- From: "Martin Roesch" <roesch () sourcefire com> To: "alexus" <ml () db nexgen com> Cc: <snort-users () lists sourceforge net> Sent: Tuesday, September 04, 2001 9:29 PM Subject: Re: [Snort-users] my logs is flooding with snort w/ some weird message about port 53
Turn off that rule or tune it to ignore your DNS servers. Just because a rule is in the set doesn't mean you have to run it. -Marty alexus wrote:hello for some reason i get a lot of traffic on my port 53, even though my nameserver is closed for public, can someone explain me what does that
mean?
Sep 4 14:44:05 box snort[11565]: [1:515:2] MISC source port 53 to <1024 [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP} 24.69.255.195:53 -> 66.92.98.145:53 Sep 4 14:44:08 box snort[11565]: [1:515:2] MISC source port 53 to <1024 [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP} 194.67.2.114:53 -> 66.92.98.145:53 Sep 4 14:44:08 box snort[11565]: [1:515:2] MISC source port 53 to <1024 [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP} 207.236.57.98:53 -> 66.92.98.145:53 Sep 4 14:44:08 box snort[11565]: [1:515:2] MISC source port 53 to <1024 [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP} 207.236.57.98:53 -> 66.92.98.145:53 just for example right now it's 2:45pm and since morning i already got su-2.05# grep -c "MISC source port 53" /var/log/all.log 9222 su-2.05# of those entryes in my log please help if this a legit traffic which rule i can comment out so it wont show in
my
logs? and if this traffic is legit why is it shows as "potentially bad traffic"? thanks in advance _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Martin Roesch - President, Sourcefire Inc. roesch () sourcefire com - http://www.sourcefire.com Snort - Open Source Network IDS! http://www.snort.org
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- my logs is flooding with snort w/ some weird message about port 53 alexus (Sep 04)
- Re: my logs is flooding with snort w/ some weird message about port 53 Ramin Alidousti (Sep 04)
- Re: my logs is flooding with snort w/ some weird message about port 53 alexus (Sep 04)
- Re: my logs is flooding with snort w/ some weird message about port 53 Ramin Alidousti (Sep 04)
- Re: my logs is flooding with snort w/ some weird message about port 53 alexus (Sep 04)
- Re: my logs is flooding with snort w/ some weird message about port 53 Ramin Alidousti (Sep 04)
- Re: my logs is flooding with snort w/ some weird message about port 53 alexus (Sep 04)
- Re: my logs is flooding with snort w/ some weird message about port 53 alexus (Sep 04)
- Re: my logs is flooding with snort w/ some weird message about port 53 Ramin Alidousti (Sep 04)
- Re: my logs is flooding with snort w/ some weird message about port 53 alexus (Sep 04)